[tor-bugs] #4410 [Tor Client]: Remote assertion failure in client
Tor Bug Tracker & Wiki
torproject-admin at torproject.org
Sun Nov 6 13:06:14 UTC 2011
#4410: Remote assertion failure in client
------------------------+---------------------------------------------------
Reporter: drosenbe | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor Client | Version: Tor: unspecified
Keywords: | Parent:
Points: | Actualpoints:
------------------------+---------------------------------------------------
It appears to be possible to remotely trigger an assertion failure in the
client when it's parsing directory authority responses.
If a client receives a response with purpose
DIR_PURPOSE_FETCH_RENDDESC_V2, it calls
rend_cache_store_v2_desc_as_client() (in or/rendcommon.c), which
immediately calls rend_parse_v2_service_descriptor() (in or/routerparse.c)
to parse the descriptor. This will parse the descriptor and pull out the
encrypted introduction points without validation on contents or size (to
be performed later).
Then, back in rend_cache_store_v2_desc_as_client(),
rend_decrypt_introduction_points() (in or/routerparse.c) is called. This
function verifies the size of the encrypted introduction isn't less than
2. If the type is REND_STEALTH_AUTH, the following is immediately called:
dec = tor_malloc_zero(ipos_encrypted_size - CIPHER_IV_LEN - 1);
If the size is less than CIPHER_IV_LEN, this will underflow and the
allocation attempt on a huge size will trigger an assertion failure.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/4410>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list